Patching ROM-0 Bug With Misfortune Cookie

This is a paper just for fun, especially for those embedded hackers who looking
for fun in tweaking embedded system. So, this is not the proper solution to fix
ROM-0 bug, it is ridiculous to fix a bug with another bug. Anyway, let’s start
our fun now. From my previous paper of “Misfortune Cookie Demystified”, it is
clear we can perform arbitrary address overwrite with arbitrary data. Other than
to unlock a router, it is possible to patch a router in order to fix ROM-0 bug.
Before that, let us have a look to the data format of overwriting action being
executed by misfortune cookie in detail. Back to the code snippet.

According to Piotrbania [1], there is a “god mode” which should be triggered
to enable hidden commands. The hidden commands will allow us to view memory
mapping and to edit memory contents, as shown below,